As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

This entry was posted on Thursday, February 16th, 2012 at 10:42 pm and is filed under ABE, XSS, Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

True dat! Web attacks are becoming much more attractive, as the Web stores many jewels nowadays. And with the power the Javascript is given in today's browsers, XSS will soon be a threat #1 for many of your assets.

I think the developers of JavaScript are the ones collectively who enable it to become too powerful. If something is not broke do not fix it and for many things HTML sufficed. Furthermore, JavaScript conflicts with screen readers which extremely irritates me at times [e.g. Blogger's new optional new interface]. People just need to stop developing these web-empowering programming languages because people can do without them.

I don't have a pulpit, but I've been preaching for years to keep your stuff to yourself and out of the cloud as much as possible. But everyone embraces "let someone else do it for me"....

Also, sandboxes included in specific apps surely aren't as effective as OS-based sandboxing of the entire browser? -- even though the latter is also far from perfect, and therefore should be mixed with NoScript, RequestPolicy, and, d'oh, Safe Hex: Don't do your online banking without closing and restarting your browser (configged to dump everything from the browser and the surrounding sandbox); do the same after banking; and don't allow permanent cookies, offline or DOM storage, etc. -- EVER.

For the real tinfoil-hatter, don't run Flash while you're logged into anything you care about, even insecure email. (And use secure email - in a stand-alone browser window -- for stuff that really matters.)

Nothing will ever be 100% safe, but those mitigations would defeat a lot of these and future attacks.
IMHO. YMMV.